Please ignore me, Jaques! For some reason, where you wrote 'backport', I read 'revert'! I incorrectly thought you were proposing to revert OFBIZ-11960.
Sorry for any confusion caused. Dan. On Sat, 16 Oct 2021 at 18:20, Daniel Watford <d...@foomoo.co.uk> wrote: > Hi Jacques, > > As far as I can tell if OFBIZ-11960 is backported we will end up with > jquery-validation v1.19.0 > (themes/common-theme/webapp/common/js/jquery/plugins/validate/jquery.validate.js). > Does this version also have the security issue? If so then backporting > OFBIZ-11960 won't result in secure javascript libraries. > > If v1.19.0 does not suffer the same security issue then we can > update themes/common-theme/webapp/common/js/package.json to retrieve that > particular version. > > Thanks, > > Dan. > > On Sat, 16 Oct 2021 at 18:03, Jacques Le Roux < > jacques.le.r...@les7arts.com> wrote: > >> Hi, >> >> Thanks for Aditya's work at OFBIZ-11960 < >> https://issues.apache.org/jira/browse/OFBIZ-11960> "Use NPM with gradle >> to get external JS dependencies" >> (thks also to Daniel's commit) and Dependabot installed at GH I have been >> warned about this vulnerability. It did not reach >> comm...@ofbiz.apache.org >> because of a bug I reported at INFRA-22418 < >> https://issues.apache.org/jira/browse/INFRA-22418>. >> >> If nobody objects I'll backport the work done for OFBIZ-11960 because it >> will secure our js libs usage >> >> Jacques >> >> >> > > -- > Daniel Watford > -- Daniel Watford